The Watering Hole: Is it Safe to Drink?

How many times have you been told you have a vulnerability that you
just don’t understand its relevancy? Cross-Site scripting comes to
mind for many people. Sure, they get the fact that you can execute
scripts in the user’s browser, but often times they really don’t fully
understand the impact. Of course, we determine that impact through risk
analysis. What is the true impact and how much risk does it pose to
the affected parties?
Over the years, I have heard numerous companies and previous
employers state that no one would attack them because they are too small
or that they didn’t have anything that the attackers would want. I
have always disagreed with this statement or theory. Maybe you are a
company that doesn’t contain financial data, or health information.
Maybe you don’t deal with sensitive information at all. So what is the
risk?
We have to start thinking about more than just the type of data that
we hold. We have to look at the bigger picture. Who are our clients or
users? Who do we do business with that may have something of interest
to an attacker. One of the big concerns that has been directed toward
these smaller companies is the idea of pivoting. If I wanted to attack
a major bank, would it make sense to attack the bank directly? Very
large banks usually have bigger budgets and theoretically would have
stronger security controls in place. That could be a lot of work to get
through that entry point. But what about that small company, that has
a smaller budget, and probably (not always) fewer security controls
that does business with that big bank? Is there an opportunity to
compromise the small company and pivot into the larger bank through a
B2B channel they have set up? This is certainly a possibility.
Something newer we are seeing is this idea of a Watering Hole
attack. This focuses more on the “WHO” visits your site. The idea
behind a watering hole attack is that it is a targeted drive by malware
type of attack. Rather than putting a malicious payload on a site that
EVERYONE accesses, why not target a site that the victim you are
tracking frequents. Think of this as similar to the difference between
phishing and spear phishing. In a phishing attack we send out the
attack email in mass, but in spear phishing, we are much more refined in
who receives the message. The same goes for this watering hole
attack.
As always, we are witnessing the evolution of these attacks.
Migrating from a broad spreading mechanism to a more targeted one has a
lot of benefits. One is that your specific target is more likely to
fall prey. Two, there is less chance of the attack getting noticed if
fewer users actually see it. We have seen other situations where the
attackers have actually built their delivery mechanism to not deliver to
know security professionals or researchers based on their IP address to
avoid getting noticed as quickly.
The watering hole is just another example of why security does matter
to every website, no matter what your content may be. Even if the
attack isn’t against our servers, but against our users, that can have a
serious effect on our businesses. The next time you hear someone say
that they are too small or don’t have any data that attackers may want,
think about the watering hole concept and see if you are still a nobody
in this world.

James Jardine is a Principal Security Consultant with Secure Ideas.
If you are in need of a penetration test or other security consulting
services you can contact him at james@secureideas.com or visit the Secure Ideas – Professionally Evil site for services provided.